Scan free
HIGHCVE-2025-59049CVSS 7.5

CVE-2025-59049: Path Traversal in @mockoon/commons-server

Platform

nodejs

Component

@mockoon/commons-server

Fixed in

9.2.1

9.2.0

AI Confidence: highNVDEPSS 1.9%Reviewed: May 2026
View on NVD
Save

CVE-2025-59049 describes a Path Traversal vulnerability discovered in the @mockoon/commons-server component. This flaw allows attackers to potentially read sensitive files from the server's filesystem by manipulating user-supplied input used in file serving. The vulnerability affects versions prior to 9.2.0 and has been resolved in that release. A fix is available.

Impact and Attack Scenarios

The core of this vulnerability lies in the way @mockoon/commons-server handles static file serving through templating. An attacker can craft malicious requests that exploit this templating mechanism to bypass intended file access restrictions. This allows them to retrieve arbitrary files from the server's filesystem, potentially including configuration files, API keys, or other sensitive data. The impact is particularly concerning in cloud-hosted server instances where the blast radius could be significant, potentially exposing data across multiple users or applications relying on the mock API. Successful exploitation could lead to data breaches and compromise of the entire server environment.

Exploitation Context

CVE-2025-59049 was publicly disclosed on 2025-03-11. There is no indication of active exploitation campaigns at this time. The vulnerability is not currently listed on the CISA KEV catalog. Public proof-of-concept (POC) code may become available, increasing the risk of exploitation.

Threat Intelligence

Exploit Status

Proof of ConceptUnknown
CISA KEVNO
Internet ExposureHigh

EPSS

1.91% (83% percentile)

CISA SSVC

Exploitationpoc
Automatableyes
Technical Impactpartial

CVSS Vector

THREAT INTELLIGENCE· CVSS 3.1CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N7.5HIGHAttack VectorNetworkHow the attacker reaches the targetAttack ComplexityLowConditions required to exploitPrivileges RequiredNoneAuthentication level needed to attackUser InteractionNoneWhether a victim must take actionScopeUnchangedImpact beyond the vulnerable componentConfidentialityHighRisk of sensitive data exposureIntegrityNoneRisk of unauthorized data modificationAvailabilityNoneRisk of service disruptionnextguardhq.com · CVSS v3.1 Base Score
What do these metrics mean?
Attack Vector
Network — remotely exploitable over the internet. No physical or local access required. Widest attack surface.
Attack Complexity
Low — no special conditions required. Attacker can exploit reliably without depending on rare configurations or timing.
Privileges Required
None — unauthenticated. No login or credentials needed to exploit.
User Interaction
None — attack is automatic and silent. Victim does nothing: no click, no file open.
Scope
Unchanged — impact is limited to the vulnerable component itself.
Confidentiality
High — complete confidentiality loss. Attacker can read all data: credentials, keys, personal data.
Integrity
None — no integrity impact. Attacker cannot modify data.
Availability
None — no availability impact. Service remains fully operational.

Affected Software

Component@mockoon/commons-server
Vendorosv
Affected rangeFixed in
< 9.2.0 – < 9.2.09.2.1
9.2.0

Weakness Classification (CWE)

CWE-73CWE-22CWE-24

Timeline

  1. Reserved
  2. Published
  3. Modified
  4. EPSS updated

Mitigation and Workarounds

The primary mitigation for CVE-2025-59049 is to immediately upgrade to @mockoon/commons-server version 9.2.0 or later. If upgrading is not immediately feasible, consider implementing stricter input validation on any user-supplied data used in file path generation. Employing a Web Application Firewall (WAF) with rules to block requests containing path traversal sequences (e.g., ../) can provide an additional layer of defense. Regularly review and audit the mock API configuration to ensure adherence to security best practices. After upgrade, confirm by attempting to access a non-existent file via the vulnerable endpoint and verifying that access is denied.

How to fix

Update Mockoon to version 9.2.0 or higher. This version fixes the Path Traversal and LFI vulnerability in the static file serving endpoint. The update will prevent attackers from accessing arbitrary files on the server filesystem.

CVE Security Newsletter

Vulnerability analysis and critical alerts directly to your inbox.

Frequently asked questions

What is CVE-2025-59049 — Path Traversal in @mockoon/commons-server?

CVE-2025-59049 is a Path Traversal vulnerability in @mockoon/commons-server versions before 9.2.0, allowing attackers to read arbitrary files from the server's filesystem.

Am I affected by CVE-2025-59049 in @mockoon/commons-server?

You are affected if you are using @mockoon/commons-server versions prior to 9.2.0. Check your installed version and upgrade immediately if necessary.

How do I fix CVE-2025-59049 in @mockoon/commons-server?

Upgrade to @mockoon/commons-server version 9.2.0 or later to resolve the vulnerability. Implement input validation as a temporary workaround.

Is CVE-2025-59049 being actively exploited?

There is currently no evidence of active exploitation, but public POCs could emerge, increasing the risk.

Where can I find the official @mockoon advisory for CVE-2025-59049?

Refer to the official @mockoon project repository and release notes for the latest advisory and details on the fix.

Is your project affected?

Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.

Scan freeSearch CVEs